from django.contrib.sites.models import Site
from django.core.urlresolvers import reverse
from django import http
-from django.http import Http404, HttpResponse
+from django.http import Http404, HttpResponse, HttpResponseForbidden
from django.shortcuts import get_object_or_404, render, redirect
from django.utils.encoding import force_str
from django.utils.http import urlquote_plus
@login_required
def book_schedule(request, pk):
book = get_object_or_404(Document, pk=pk, deleted=False)
+ if not book.can_edit(request.user):
+ return HttpResponseForbidden("Not authorized.")
if request.method == 'POST':
Plan.objects.filter(document=book).delete()
for i, (s, name) in enumerate(STAGES):
@login_required
def book_owner(request, pk):
doc = get_object_or_404(Document, pk=pk, deleted=False)
+ if not doc.can_edit(request.user):
+ return HttpResponseForbidden("Not authorized.")
user_is_owner = doc.owner_organization and doc.owner_organization.is_member(request.user)
if not (doc.owner_user == request.user or user_is_owner):
raise Http404
@login_required
def book_delete(request, pk):
doc = get_object_or_404(Document, pk=pk, deleted=False)
- if not (doc.owner_user == request.user or doc.owner_organization.is_member(request.user)):
- raise Http404
+ if not doc.can_edit(request.user):
+ return HttpResponseForbidden("Not authorized.")
if request.method == 'POST':
doc.deleted = True
from .models import PublishRecord
from dvcs.models import Revision
- # FIXME: check permissions
-
doc = get_object_or_404(Document, pk=pk, deleted=False)
+ if not doc.can_edit(request.user):
+ return HttpResponseForbidden("Not authorized.")
form = forms.DocumentTextPublishForm(request.POST, prefix="textpublish")
if form.is_valid():
rev = Revision.objects.get(pk=form.cleaned_data['revision'])
@require_POST
@login_required
def unpublish(request, pk):
- # FIXME: check permissions
-
doc = get_object_or_404(Document, pk=pk, deleted=False)
+ if not doc.can_edit(request.user):
+ return HttpResponseForbidden("Not authorized.")
+
doc.publish_log.all().delete()
if request.is_ajax():
return http.HttpResponse('ok')
@never_cache
def editor(request, pk, template_name='wiki/bootstrap.html'):
doc = get_object_or_404(Document, pk=pk, deleted=False)
+ if not doc.can_edit(request.user):
+ return HttpResponseForbidden("Not authorized.")
save_form = forms.DocumentTextSaveForm(user=request.user, prefix="textsave")
text = doc.materialize()
@decorator_from_middleware(GZipMiddleware)
def text(request, doc_id):
doc = get_object_or_404(Document, pk=doc_id, deleted=False)
- # if not doc.book.accessible(request):
- # return HttpResponseForbidden("Not authorized.")
if request.method == 'POST':
+ if not doc.can_edit(request.user):
+ return HttpResponseForbidden("Not authorized.")
form = forms.DocumentTextSaveForm(request.POST, user=request.user, prefix="textsave")
if form.is_valid():
if request.user.is_authenticated():
form = forms.DocumentTextRevertForm(request.POST, prefix="textrevert")
if form.is_valid():
doc = get_object_or_404(Document, pk=doc_id, deleted=False)
+ if not doc.can_edit(request.user):
+ return HttpResponseForbidden("Not authorized.")
rev = get_object_or_404(Revision, pk=form.cleaned_data['revision'])
comment = form.cleaned_data['comment']
fnp / redakcja.git / commitdiff